Re: Domain-Based VPN with Dynamic Routing

If I use BGP on top of a domain-based VPN, the gateway always prefers the VPN routes. I am trying to find a way to stop the VPN routes to be propagated automatically so Gaia routing can be used instead.

Due to the amount of existing VPN communities this is a bit painful to transition to route-based VPN.

Re: Domain-Based VPN with Dynamic Routing

Just an update, I tested this scenario in the lab and disabling reroute_encrypted_packets works like a charm. The kernel VPN routes are still there but not being used to forward traffic, OS routing is being used instead.

Re: Domain-Based VPN with Dynamic Routing

My predecessor chose to configure MEP for fail-over between the on-premise clusters.

However, in a fail-over scenario all the users are still routed (static routing being to date) through the primary site and causing asymmetric routing.

My goal is run dynamic routing to fail-over automatically the public clouds connectivity.

The issue currently is the domain-based VPN which always prefers VPN kernel routes and the idea is to control how traffic is routed to the public cloud using BGP (CORE switches <--BGP--> On-Premise clusters <--BGP--> Public Cloud Clusters).

Route-based VPN will resolve it as well but will introduce another challenges like narrowing down the encryption domains while we have another Domain-Based VPNs with 3rd parties.

I guess we'll have some healthy debates after xmas whether to go ahead with disabling reroute_encrypted_packets or converting everything to Route-based VPN.